0216_帧中继_ipsec

原创

810105851 2013-02-16 15:33:40 博主文章分类：路由交换 ©著作权

文章标签 vpn ccnp 路由器 ipsec 帧中继 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者810105851的原创作品，请联系作者获取转载授权，否则将追究法律责任

拓扑图：

配置参数：

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.2

crypto isakmp key 123456 address 1.1.1.3

crypto ipsec transform-set myset esp-3des esp-md5-hmac //注意帧中继也可以配置AH参数！可以测试成功的！

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set myset

match address 100

crypto map mymap 20 ipsec-isakmp

set peer 1.1.1.3

set transform-set myset

match address 101

interface Serial0/0

ip address 1.1.1.1 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.2 26

frame-relay map ip 1.1.1.3 27

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.2.0 255.255.255.0 1.1.1.2

ip route 192.168.3.0 255.255.255.0 1.1.1.3

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 100

interface Serial0/0

ip address 1.1.1.2 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.1 36

frame-relay map ip 1.1.1.3 36

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.1.0 255.255.255.0 1.1.1.1

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 100

interface Serial0/0

ip address 1.1.1.3 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.1 37

frame-relay map ip 1.1.1.2 37

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.1.0 255.255.255.0 1.1.1.1

frame-relay switching

interface Serial0/0

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 26 interface Serial0/1 36

frame-relay route 27 interface Serial0/2 37

interface Serial0/1

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 36 interface Serial0/0 26

interface Serial0/2

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 37 interface Serial0/0 27

测试：

R2:

r2#SH FRAM ROU

Input Intf Input Dlci Output Intf Output Dlci Status

Serial0/0 26 Serial0/1 36 active

Serial0/0 27 Serial0/2 37 active

Serial0/1 36 Serial0/0 26 active

Serial0/2 37 Serial0/0 27 active

R1:

r1#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.2 QM_IDLE 1 0

1.1.1.1 1.1.1.3 QM_IDLE 2 0

R3:

r3#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.2 QM_IDLE 1 0

R4:

r4#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.3 QM_IDLE 1 0

VPC:

使用VPC进行测试

VPC1:

总部的内网可以PING通分部1和分部2

VPC2:

分部1可以PING通总部内网

VPC3:

分部2可以PING通总部内网

测试：

r1#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.1

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 1.1.1.2:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2

path mtu 1500, media mtu 1500

current outbound spi: 6DA96143

inbound esp sas:

spi: 0x47E18A8B(1205963403)------>IN对应R3的OUT

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4561490/2009)

ike_cookies: 4212F6AE 2BE257C8 70AA7619 C7B2C848

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6DA96143(1839817027)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4561492/2008)

ike_cookies: 4212F6AE 2BE257C8 70AA7619 C7B2C848

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer: 1.1.1.3:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.3

path mtu 1500, media mtu 1500

current outbound spi: 935F895E

inbound esp sas:

spi: 0x189C7927(412907815) ------>IN对应R4的OUT

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2002, flow_id: 3, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4410147/2372)

ike_cookies: 0304C43A 22E2C670 2D431BA9 28CCCCBE

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x935F895E(2472511838)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2003, flow_id: 4, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4410149/2372)

ike_cookies: 0304C43A 22E2C670 2D431BA9 28CCCCBE

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r1#

r3#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.2

protected vrf:

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 1.1.1.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, media mtu 1500

current outbound spi: 47E18A8B

inbound esp sas:

spi: 0x6DA96143(1839817027)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4434742/1960)

ike_cookies: 70AA7619 C7B2C848 4212F6AE 2BE257C8

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x47E18A8B(1205963403) ------>OUT对应R1的IN

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4434744/1960)

ike_cookies: 70AA7619 C7B2C848 4212F6AE 2BE257C8

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r3#

r4#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.3

protected vrf:

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 1.1.1.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 1.1.1.3, remote crypto endpt.: 1.1.1.1

path mtu 1500, media mtu 1500

current outbound spi: 189C7927

inbound esp sas:

spi: 0x935F895E(2472511838)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4549234/2304)

ike_cookies: 2D431BA9 28CCCCBE 0304C43A 22E2C670

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x189C7927(412907815) ------>OUT对应R1的IN

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4549236/2304)

ike_cookies: 2D431BA9 28CCCCBE 0304C43A 22E2C670

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r4#

上一篇：0213综合练习1

下一篇：0216网络应用

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯